Hello Yang Xu, On 12/12/19 8:23 AM, Yang Xu wrote: > I see kernel code security/commoncap.c cap_capset function, it only > verifies the new_Effective is a subset of the new_Permitted. It doesn't > verify whether the new_Inheritable is a subset of the new_Permitted. > > I found it when I cleanup ltp capset02 test code. > > Signed-off-by: Yang Xu <xuyang2018.jy@xxxxxxxxxxxxxx> > --- > man2/capget.2 | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/man2/capget.2 b/man2/capget.2 > index 94d38d877..6cad3d5d8 100644 > --- a/man2/capget.2 > +++ b/man2/capget.2 > @@ -195,8 +195,7 @@ One of the arguments was invalid. > .TP > .B EPERM > An attempt was made to add a capability to the Permitted set, or to set > -a capability in the Effective or Inheritable sets that is not in the > -Permitted set. > +a capability in the Effective sets that is not in the Permitted set. > .TP > .B EPERM > The caller attempted to use Thanks for your note. The manual page is indeed imprecise, but there are checks elsewhere (in cap_capset()) that restrict the kinds of changes that can be made to the inheritable set. I applied the patch below, which I think correctly captures the details (which were already described in capabilities(7)). Thanks, Michael diff --git a/man2/capget.2 b/man2/capget.2 index 94d38d877..1d81075ba 100644 --- a/man2/capget.2 +++ b/man2/capget.2 @@ -195,10 +195,22 @@ One of the arguments was invalid. .TP .B EPERM An attempt was made to add a capability to the Permitted set, or to set -a capability in the Effective or Inheritable sets that is not in the +a capability in the Effective set that is not in the Permitted set. .TP .B EPERM +An attempt was made to add a capability to the inheritable set, and either: +.RS +.IP * 3 +that capability was not in the caller's bounding set; or +.IP * +the capability was not in the caller's permitted set +and the caller lacked the +.B CAP_SETPCAP +capability in its effective set. +.RE +.TP +.B EPERM The caller attempted to use .BR capset () to modify the capabilities of a thread other than itself, -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/
